I always thought of these sort of sites as an excellent way for harvesting passwords to make lists for brute force attacks.

Previously I've seen sites linked, from Ars even, where you can supposedly check your password to see if it has been cracked from a stolen list. Whilst I doubt Ars would be as negligent as to forward visitors to a password harvesting site, I generally treat them all like this - as password harvesting sites.

Why is not having HTTPS such a problem in this case? I don't see Ars using HTTPS. If the site is just taking some input and telling you about a password, why is HTTPS a requirement?

because, if you're an idiot, you use the same password on multiple sites, and then log on through compromised hotel wifi (even though it's encrypted wifi, someone simply booked a room, compromised it, and installed a rootkit).

So, I tried just a random idea. I took an old CD Key from a crappy RTS I hated as a template and tweaked a few characters, threw some salt on it, and Intel's site 'helpfully' estimated it would take ~863 years to crack.

The reason for the difference in numbers is, as the article hints at, because none of the sites are doing actual dictionary look ups.

In the very least, checking if parts of the password are in a dictionary would give better estimates, but you can only go so far doing estimates before you end up creating an actual password cracker!

e.g. checking for dictionary words isn't easy if words are strung together, ThisIsATest requires testing every possible combination of adjacent letters against a dictionary, some clever optimizations can be done, but even so, doing a proper estimation is hard.

Why is not having HTTPS such a problem in this case? I don't see Ars using HTTPS. If the site is just taking some input and telling you about a password, why is HTTPS a requirement?

because, if you're an idiot, you use the same password on multiple sites, and then log on through compromised hotel wifi (even though it's encrypted wifi, someone simply booked a room, compromised it, and installed a rootkit).

i have been that idiot. :X

I would never put any of my real passwords into a site like this in the first place. I would choose something similar to see what it would report and extrapolate based on that. Assuming you don't hand over any of your "real" credentials, I don't see the point. The rest of the reasoning seemed to based around basic reason why you should use HTTPS, and wasn't really specific to this site, after pointing out it was one of its biggest flaws.

The pwdmeter.js has a copyright date of 2007 on it, this is not exactly new stuff.

Granted Intel's might be smarter and do checking for different types of dictionary attacks, in which case maybe I could see them needing to offload onto a server, since JS might be too slow for the type of workloads, and such things are amazingly parallelizable and Intel has, if nothing else, lots of cores to throw at problems!

As far as I can tell, there's no evidence the Intel site sends passwords to a server. But that's immaterial. HTTP websites can be spoofed and made to do whatever the attacker wants, including slurping passwords.

Why is not having HTTPS such a problem in this case? I don't see Ars using HTTPS. If the site is just taking some input and telling you about a password, why is HTTPS a requirement?

because, if you're an idiot, you use the same password on multiple sites, and then log on through compromised hotel wifi (even though it's encrypted wifi, someone simply booked a room, compromised it, and installed a rootkit).

i have been that idiot. :X

I would never put any of my real passwords into a site like this in the first place. I would choose something similar to see what it would report and extrapolate based on that. Assuming you don't hand over any of your "real" credentials, I don't see the point. The rest of the reasoning seemed to based around basic reason why you should use HTTPS, and wasn't really specific to this site, after pointing out it was one of its biggest flaws.

No big deal either way, it just seemed odd to me.

The point is that real security comes from a layered approach. I put my faith into the fact that the WiFi was encrypted, and that was "enough" to log into non-crucial stuff. I didn't have anything important compromised because it all used HTTPS, and I didn't use the same passwords for those. If I were even a tad lazier, though, I would have put my employer at huge risk (as well as my paycheck).

skin of my teeth, and all that. all i lost was a throwaway gmail account and some forum logins.

There's certainly something sketchy about the site. It also mentions a sweepstakes, but then has no link (that I can find) to the terms and conditions of the sweepstakes or any other information about it.

Intel reckons XKCD's example password (with spaces) would take 182598077247 years to crack. XKCD reckoned 550 years at 1000 guesses/sec (which seems low, but there you go).

If XKCD's estimate of 44 bits of entropy is accurate, then Intel's estimate amounts to about 96 guesses per year. I'm fairly sure that even a CPU-based cracker could outdo that rate by a fair margin.

Edit: if 2^44 is without spaces, that's 121k guesses a year. Still not believing that for a second.

Intel appears to be working on a naive letter-by-letter approach, while xkcd used a word-by-word approach (effectively a 4 character password, where each character comes from the very large set of common english words). Not that it does much to support Intel's figure (in fact, demonstrating that you don't actually get ~8 bits of entropy per character under most circumstances is a blow to their method), but it would explain the discrepancy.

would tell users they should never enter a password on a plain HTTP connection

Guess I can't login into Ars anymore....

It looks like they are just using javascript to judge the password so it shouldn't even get transmitted. There is something odd about the site though maybe a work in progress? They mention a sweepstakes but there is no other information on it even if you get a crazy number of years to crack.

I would never put any of my real passwords into a site like this in the first place. I would choose something similar to see what it would report and extrapolate based on that. Assuming you don't hand over any of your "real" credentials, I don't see the point.

I wouldn't hand over any real credentials either. Nor do I click on any links that are e-mailed to me without checking where it truly goes, or ever click anything that says "click here to upgrade your Adobe Flash". It's common sense.

Yes, for you, me, and likely every person reading this article; that is common sense. For the *average* surfer, the target demographic for this little app? Not so much.

I work with a lot of 'otherwise intelligent but computer illiterate' people who wouldn't hesitate to put their real password into that website because "It's from Macaffee/Intel/someone-I-should-trust".

would tell users they should never enter a password on a plain HTTP connection

Guess I can't login into Ars anymore....

It looks like they are just using javascript to judge the password so it shouldn't even get transmitted. There is something odd about the site though maybe a work in progress? They mention a sweepstakes but there is no other information on it even if you get a crazy number of years to crack.

They're using Javascript to evaluate the password, but since they're not using HTTPS to serve the page and its Javascript, either resource could be modified in transit (the page or the Javascript) to send entered passwords to an attacker.

The "sweepstakes" (assuming it actually happens) is one of those "share on Facebook or Twitter and you could be randomly selected" sort of things.